Wirelessly enabled medical devices (WEMDs) are electronic instruments carried by patients to monitor and/or treat medical conditions. One common variety, known as an implantable medical device (IMD), is a WEMD that is surgically inserted either partially or fully into a patient's body. WEMDs provide monitoring and automatic therapies to help treat a wide range of chronic medical disorders. They are often fully instrumented embedded computing devices, with CPUs, sensors, actuators, and bi-directional radios. IMDs in particular are in use by millions of patients worldwide, and their applications and base of users are rapidly growing.
Technologists anticipate that advances in power management, wireless communication, and computation will enable WEMDs to communicate wirelessly with consumer devices such as mobile phones and smartwatches and also intercommunicate through body area networks (BANs) in order to orchestrate monitoring and therapies across different organs. Such communications, however, will be vulnerable to eavesdropping and other manipulation. Today, over-the-air attacks against IMDs have already been documented that may seriously infringe patient privacy and potentially be fatal. Encryption and cryptographic integrity protection are the most prevalent solution to such attacks. However, those countermeasures are not entirely successful against all types of attack. For example, encryption may largely conceal the content of wireless communications. But an adversary may still potentially discover the presence of a particular medical device on or in a patient's body and learn information about its communications through traffic analysis by studying the sizes and timing of encrypted messages. Thus, encryption may fail to conceal certain highly sensitive information about a user's medical status.
Standard cryptographic techniques such as authenticated encryption may protect the integrity and secrecy of WEMDs communications against eavesdroppers. WEMDs may also attempt to conceal their presence by not transmitting any device identifiers in the clear. Nonetheless, the presence of specific WEMD types may be discovered by traffic analysis through analysis of message sizes and patterns of device communication.
A WEMD (e.g., a deep brain stimulator) may transmit information about a person's medical condition (e.g., that she has a serious neurological disorder). Such information may be used to discriminate against a victim (e.g., in employment decisions), to target the victim for physical attack (e.g., exploit weaknesses in the IMD of a high-profile user), or to create nuisances such as targeted advertising (e.g., for medications suitable for a victim's medical condition). Additionally, traffic analysis may indicate information about the content of WEMD communications. For example, if an implanted cardioverter defibrillator (ICD) transmits a signal only when the ICD performs a therapy process related to a patient's heart, the mere presence of a signal may indicate a cardiac event. Thus, traffic analysis poses a threat to patient privacy that cryptography, a common tool for communications security, fails to address. Countermeasures to traffic analysis have been proposed in certain domains, such as censorship evasion, as described in K. P. Dyer, S. E. Coull, T. Ristenpart, and T. Shrimpton, Protocol Misidentification Made Easy with Format-Transforming Encryption. ACM SIGSAC Conference on Computer & Communications Security, 61-72 (2013), and Shuai Li, Mike Schliep, and Nick Hopper. Facet: Streaming Over Videoconferencing for Censorship Circumvention. ACM Workshop on Privacy in the Electronic Society, 163-172 (2014). Countermeasures to traffic analysis have further been proposed for the purposes of attacking intrusion-detection systems (IDSs), as described in D. Wagner and P. Soto, Mimicry attacks on host-based intrusion detection systems. ACM Conference on Computer and Communications Security, 255-264 (2002).
Consumers care about the privacy of medical information, particularly when such privacy relates to devices carried on or near the body. The security of IMDs in particular has been a hot-button topic because of life-threatening attacks demonstrated by researchers and the high-profile decision by former Vice President Dick Cheney to have the wireless interface on his IMD deactivated—at great inconvenience—due to security concerns.